Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan leading to cvchost attackes / browser problems


  • This topic is locked This topic is locked
10 replies to this topic

#1 aztex999

aztex999

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:17 PM

Posted 04 February 2011 - 08:58 PM

Oops - file in title should be "svchost."

Hi all - I sure hope I can get some help here. I caught a very bad virus(es) yesterday, with many symptoms. I'm using XP Home SP3

How it happened: I clicked on a link to an image on an image hosting site, and got a few popups, and a couple of trojan detection warnings from Ad-aware and Norton Internet Security. Both said "No further action required," so I didn't write the names down However, Firefox froze and I had to use Task Manager to close the firefox.exe file.

Symptoms: Since then, I've had multiple messages (usually every 15 minutes) from NIS that a recent attack was blocked. Every time it's from a different place, but it always says the source is my svchost.exe file in my WINNT/system32 folder. Also, my computer is super-slow - and gets slower the more I use it; especially if I go online. When I registered on this site, it took over 30-40 seconds for each letter I typed to show up on the screen. Also, there seems to be a problem with Firefox. When I click on links on Google, I'm always redirected (Bookmarks and direct typing in the address window still work) to some random site, but so far, IE8 seems unaffected, albeit it's really slow. So I'm typing this in Wordpad and pasting it in the browser, just in case this happens again. Also, both browsers take forever to open.

Also, when I run Task Manager, it says svchost.exe is using a lot of CPU resources - usually between 40% - 99%.

What I've done so far: I downloaded and updated Super Anti-Spyware and did a (99%)Complete Scan in Safe Mode. I also did a Quick Scan in Safe Mode using Norton Internet Security and Malwarebyte's Anti-Malware. I realized that my Malwarebyte's had not been updated recently; so updated and will run another scan in Safe Mode after I post this. I'm assuming it will take a while to get a response to this. I've also thought of Uninstalling Firefox and re-installing it.

BTW, all the scans showed nothing but tracking cookies, which I deleted. And all scans took much longer than usual. For instance, the SAS scan took over 8 hours - I stopped it after it got thru the WINNT folder (there's not much left after that, but I do have a folder called "Work Projects" with a lot of large .rar files that I know aren't malicious, so I stopped it.

I'll check back with an update on the updated Malwarebyte scan and see if anyone's replied. Should I perhaps not do the scan in Safe Mode? I thought perhaps running in safe mode prevents the malicious code from loading? Hey - if I had a clue, I'd be fixing this myself . . .

In advance, I'll say thank you for any help. I know you could be doing other things with your time, and I appreciate the help.

-aztex999-

Edited by aztex999, 04 February 2011 - 09:01 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,221 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:17 AM

Posted 04 February 2011 - 09:38 PM

Hello,I moved this from XP to the Am I Infected forum. Wher we will wait the outcome of MBAM scan.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 aztex999

aztex999
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:17 PM

Posted 05 February 2011 - 12:47 AM

Thanks, boopme, for moving this to the correct forum.
MBAM scan showed nothing:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5680

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

2/4/2011 10:12:57 PM
mbam-log-2011-02-04 (22-12-57).txt

Scan type: Full scan (C:\|)
Objects scanned: 272644
Time elapsed: 2 hour(s), 26 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
_______________________________________

Computer still running like molasses in January

Also, the redirect problem in Firefox seems to have disappeared (for now).
I frequently get this message from Windows, too:
Generic Host Process for Win32 Services has encountered a problem and needs to close. We are sorry for the inconvenience.

EDITED NEXT DAY: Before I went to bed, I also ran a Norton Internet Security Complete Scan in Safe Mode - it found nothing. I rebooted this morning, and after giving the computer 10 minutes to wake up, was greeted by yet another "Recent attack blocked" message.

Also, it takes 4 or 5 tries to finally get Firefox to open - I tried clicking on the Quick Launch toolbar, dbl-clicking on the desktop icon; even right-clicking and choosing "open."

Just got another "attack" warning - let's see if I can insert or attach it:

Posted Image

BTW - after browsing thru this site, my problem seems similar to this one:
http://www.bleepingcomputer.com/forums/topic303320.html

Just in case it's suggested, I've downloaded Dr Web CureIt

Edited by aztex999, 05 February 2011 - 11:53 AM.


#4 aztex999

aztex999
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:17 PM

Posted 05 February 2011 - 01:34 PM

Update:

Dr Web CureIt has obviously changed since the above-referenced post of a year ago. I printed the instructions, but, although similar, Dr Web CureIt doesn't operate like it did in March 2010. When I clicked on the exe file, instead of opening an installation wizard, it opened the program. It opened in "Enhanced Protection Mode," and implied that it would find anything already open. All other windows in the background were shaded, and it gave the look of the Safe Mode screen, i.e. text at corners of screen.

Long story short - the log file is way too long to attach, but right off the bat it found and eradicated BackDoor.Tdss.565 in my C:\WINNT\system32\svchost.exe.1164 and also Backdoor.Tdss.4005 in my Master Boot Record HDD1 - although no action was reported on the latter. When the Express Scan finished (about an hour later), it prompted me to Cure All and reboot; which I did.

I think, to be sure, I'll restart in Safe Mode and try a Complete Scan, although for the first time in two days, I have received no "attack attempts" from Norton since rebooting - it's been about a half hour now. Also, browsers and email now open much quicker with one click on the Quick Launch taskbar. I hope this is the end of it. If so, thanks for keeping year-old threads around so I could research it on my own!

If I don't post in the next day or so, I'll consider this problem fixed.

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,221 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:17 AM

Posted 06 February 2011 - 03:30 PM

Sorry, was my birthday yesterday and could not get back here to reply. Glad you found my old ones!! Yes Drweb has changed ,, But killing the Tdss was important.
You should have it now.

Let's run an online scan and see if there is anything else.

Please perform a scan with Eset Online Antiivirus Scanner.
This scan requires Internet Explorer,Opera or Firefox to work. Vista/Windows 7 users need to run Internet Explorer as Administrator.
To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run As Administrator from the context menu.
  • Click the green Posted Image button.
  • Read the End User License Agreement and check the box:
  • Check Posted Image.
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Check Remove found threats and Scan potentially unwanted applications. (If given the option, choose "Quarantine" instead of delete.)
  • Click the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer.
  • If offered the option to get information or buy software at any point, just close the window.
  • The scan will take a while so be patient and do NOT use the computer while the scan is running. Keep all other programs and windows closed.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop as ESETScan.txt.
  • Push the Posted Image button, then Finish.
  • Copy and paste the contents of ESETScan.txt in your next reply.
Note: A log.txt file will also be created and automatically saved in the C:\Program Files\EsetOnlineScanner\ folder.
If you did not save the ESETScan log, click Posted Image > Run..., then type or copy and paste everything in the code box below into the Open dialogue box:

C:\Program Files\ESET\EsetOnlineScanner\log.txt
  • Click Ok and the scan results will open in Notepad.
  • Copy and paste the contents of log.txt in your next reply.
-- Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.

NOTE: In some instances if no malware is found there will be no log produced.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 aztex999

aztex999
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:17 PM

Posted 07 February 2011 - 03:31 PM

Boopme,

Thanks, and Happy Birthday!

ESET found no traces of any problems; so no log file was created. Looks like Dr Web CureIt took care of the problem.

Thanks again for having this site available to research the problem - I was really freaking out a few days ago!!

BTW - Although Norton isn't giving me "intrusion attempt blocked" message windows any longer; when I go into my NIS History, it's showing that "unauthorized access attempts" (Open Process Token) are being blocked about once every hour (around the same time, too. It flags these attempts as medium risk; as compared to the high risk windows I was getting every 15 minutes a few days ago) They seem to be coming from Windows Defender. Is this just a compatibility issue between Windows Defender and Norton Internet Security?

Thanks again.

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,221 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:17 AM

Posted 07 February 2011 - 04:02 PM

To be absplutly certain you are not leaving something here let's get a deeper look. Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If Gmer won't run,skip it and move on.
Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 aztex999

aztex999
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:17 PM

Posted 08 February 2011 - 06:05 PM

My computer keeps trying to open dds.scr in Notepad. Perhaps because I have AutoCAD installed on my computer, it thinks it's an AutoCAD script. That's how it's listed by "Type" in Windows Explorer.

If there's a workaround to this; I'm game - otherwise, I think my computer is in good shape.

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,221 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:17 AM

Posted 08 February 2011 - 09:05 PM

please download this file: xp_scr_fix.

Unpack the file onto your desktop and double-click it. You will be asked if you wish to merge the file with you registry, say yes.

You should then be able to run DDS.scr.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 aztex999

aztex999
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:17 PM

Posted 09 February 2011 - 02:38 PM

When I clicked on gmer.exe, it rebooted my computer. I'm now getting "Unresponsive script" message from Firefox (occasionally).

I will start another thread in the forum you requested, and will either paste or attach the two dds log files. I'll come back and edit this post with a link there.

EDIT: Log files posted here: My link

Edited by aztex999, 09 February 2011 - 02:51 PM.


#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,221 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:17 AM

Posted 09 February 2011 - 03:21 PM

Ok ,that looks good. Don't worry about GMER for now. When they reply to you you can explain it.

Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Removal Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the Malware Removal Team should be the only members that you take advice from, until they have verified your log as clean.
Please be patient. It may take a while to get a response because the Malware Removal Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the Malware Removal Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRL Team member is already assisting you and not open the thread to respond.

To avoid confusion, I am closing this topic.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users